New Jersey's Cablevision Hijacks DNS Error Pages

Selikoff writes "I just noticed Cablevision's Optimum Online service has begun hijacking DNS Error pages with, you guessed it, ad-supported results. Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers. I know Road Runner customers have had to deal with this for a couple months now, although at least they have an outlet to turn it off." Update: 09/30 13:18 GMT by T : Note, as several readers have pointed out, this hijacking is of DNS errors rather than 404 errors as originally presented.

Give me a break...

Even on slashdot, we have people who don't know a DNS error (and yes, TFA gets it right) from a 404 (which can't be hijacked without modifying the stream itself)

Re:Give me a break...

Site finder was slightly different from this, in its scope. I doubt ICANN will get involved

Verisign abused it's stewardship of the DNS Root servers (i.e. the Nameserver's nameservers, those servers that every(?) nameserver contacts to find out who to query...etc...).

In other words, if your ISP is doing something douchy like this, you can use another nameserver/run your own. That was not really an option with sitefinder

Re:Give me a break...

You didn't see nuthin', got it?

The submitter confuses DNS and HTTP errors

The Cablevision and Road Runner services both only hijack DNS no-such-domain errors, not HTTP 404s. Neither is a good thing, but hijacking DNS is much less insidious than the deep-packet inspection or mandatory proxying required to hijack 404 errors.

Re:

Insight Communications in Indiana and Kentucky have been doing this [dslreports.com] for a while now.

No, they didn't

New Jersey's Cablevision Hijacks 404 Error Pages

No, they didn't.

If the submitter had read the summary, they would know that it's DNS errors that are being hijacked, not 404s.

It's an important difference - 404 means that they are transparently proxying your connections, which can cause problems with various sites (and that they are recording every URL you visit.)

For example: http://slashdot.org/akasjdflkasdjfl;kajsdl;aksdjfkdjkfdjlkjsdf [slashdot.org] would not be affected by this, whereas http://sslashhdot.org/ [sslashhdot.org] would.

Is it *too* much to ask that a technical news site present technical articles correctly?

Re:No, they didn't

Right, and while it might seem repulsive to some to have them proxy your web connections, I honestly find it more repulsive to hijack failed DNS queries, because this affects spam. Maybe it's just because I work for a professional email hosting company, but come on now. Failed dns lookup = drop mail as spam. Maybe not as critical because it's an ISP with mostly end users, but what if they're doing this to their small business customers, too?

~Wx

Re:No, they didn't

It's an important difference - 404 means that they are transparently proxying your connections

And inspecting the packet contents looking for HTTP 404 error code returns, and either modifying the returned HTML to insert their own ads or else (and much, much simpler and more practicable) discarding the rest of the data stream and substituting their own.

Hijacking DNS errors is wrong; hijacking HTTP 404 returns would be Evil.

What's next ?

The blue screen of russian women 4 U? BSORW4U!
or
Buy Vi4GR@ now! By the way: Syntax error.

Solution for ISPs mucking with DNS results

Don't use your ISP's DNS servers.
Find another public server or run your own.

Possible solution?

They're returning adverts for failed DNS lookups, not 404 pages, as others have helpfully pointed out.

How about a script that hammers suitably random fake domain names continuously (different ones every time)? If the scammers^W advertisers are paying per impression this will majorly hurt their pockets.

Re:Possible solution?

How about a script that hammers suitably random fake domain names continuously (different ones every time)? If the scammers^W advertisers are paying per impression this will majorly hurt their pockets.

Wouldn't that actually help. The impression revenue is probably tied to ad's that are *presented*. If you simply did a bunch of look-ups on fake names, all you would get are A records to the ad page. You would then have hit the web server, download the page and any elements. Then the advertisers would be paying per impression.

Re:Possible solution?

As much as I hate dns being hijacked (I don't have the issue as I run my own), I'm sure these ISPs view it in a different light. Their argument will be that it's a 'feature' rather than being intrusive on people's browsing: "Helping our customers get to the proper website" or that it helps keep the price of the internet service low so you don't have to pay as much per month. Also, if you start hammering this, I'm sure a flag will rise (if they're at least half smart) and they'll send a nice email out to you stating that you're abusing your service, yada yada..

Not that any of this is a good thing, but you gotta see it from another prospective...

You can opt out here...

http://www.optimum.net/DNSRedirect/DoOptOut [optimum.net]

OpenDNS does this

I just redirected my DNS queries to OpenDNS, mostly because of the content/phishing filtering they offer but also some of the statistics on my connection. They make their money, or propose to, by doing this very thing... redirecting Domain Not Found error messages to ad supported pages.

Re:

They make their money, or propose to, by doing this very thing... redirecting Domain Not Found error messages to ad supported pages.

If that's the case then, regardless of how ethical or up-front they may be about it, then they are unsuitable for certain uses. Ran into this when earthlink started doing this crap and I was running a dnsbl for my own mail server, with forwarding set to one of ELN's DNS servers. Suddenly nothing came through. It was because everything was coming back as a hit.

I love /.

I love it when an editor or story writer makes a technical error on /. You can actually hear the simultaneous erections of a thousand anal-retentive techies, each typing as fast as they can without even bothering to check if their fellow anal-retentives hadn't already pointed the same thing out in dozens of posts. It's the best sexual gratification most of them are going to get all day.

Re:

and i love the smell of condescension and self-righteousness in the morning...

Marginal cases

Hey, let's not be too quick to judge here. Sometimes I do look for sex entertainment phentermine college click here now rolex and I'm glad at least one ISP understands that.

Easily solved

http://www.opendns.com/ [opendns.com]

However this does not solve it for less technical people as they would have no idea what is going on, would have no idea how to solve it and perhaps have not even a clue that there is a problem and that they typed in something wrong.

If I were looking for nekid ladies, this might be help full. If I try to contact my bank it isn't. It could even be dangerous if things I were looking for is something similar to what I get presented as advertisement.

Rogers Cable

Rogers Cable high-speed internet has been doing that for the past couple months now too. URL typos get redirected to their own search.rogers.yahoo.com or something like that, disabling toolbar search functions in browsers.

The kicker is that I also think they're actively blocking access to other search engines periodically in order to increase usage of their own. www.Google.com will sometimes time-out while trying to load, but works fine when accessed through Dogpile meta-search.

Since I've moved off of Rogers already, I can't do more experiments to test, but if anyone else is on it, I suggest you keep an eye out.

Re:

They probably use a transparent web proxy between the user PC and the web server.

When the web server sends a standard 404 error page, it goes via the proxy which puts its page in place of it.

Re:

404 == HTTP error code for "page not found". And the summary's wrong, they're actually hijacking 502 (bad gateway/no such domain) pages, which is a major difference. Hijacking 502s only requires their DNS servers to redirect nonexistent domains to the ad page, while hijacking 404s would require them to sniff every page you visit.

Re:Hurting the Underlying Stablity of the Internet

Quite simple: run a mailserver, then use these type of DNS servers. In a few days, you'll have so much mail that doesn't get accepted by xxx.xxx.xxx.xxx (your provider's DNS) that it might fill your storage. Then 7 days later (instead of a few hours later) the e-mail gets sent back with the message that the other server doesn't accept the mail (instead of saying that the domain doesn't exist) after being retried hundreds of times eating up valuable bandwidth and processing time. Then if your end-user isn't smart enough, he'll retry sending it, not noticing he has a typo in his address book, because after all, the other e-mail server DOES exist.

Re:Charter Communications

A laughable example of how poorly implemented the Charter DNS error is:

http://flickr.com/photos/listrophy/2194252038/ [flickr.com]

Things to note:

• This is an image of the opt-out result.
• The browser running is Flock on OS X.
• The result is a fake IE DNS error page with a "Manage Opt-in/Out Settings" link appended.
• Charter was too lazy to even fix the image src attributes. (they point to res://...)
• It's not a true opt-out, because it still returns a 200 OK rather than a DNS Lookup error.

For this and many other things, I have since stopped using Charter. My soul feels so much cleaner now that I'm not giving them money.